What is P4wnP1?

P4wnP1 is an open source, highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W. I’m sure you must have heard about the wonderful tools from Hak5. Well now there is an open source variant which I think combines Rubber Ducky and Bash Bunny with support for Human Interface Device (HID) attacks and network attacks. When it comes to HID attacks, P4wnP1 can be installed as a plug-and-play keyboard. When network attacks come into the picture, Windows targets act as a Remote Network Driver Interface Specification (RNDIS) interface and for *NIX based targets, it acts as a USB Communications Device Class (CDC) – Ethernet Control Model (ECM) Subclass interface.

Fake RNDIS network interface speed up to 20GB/s to get the lowest metric and win every fight for the dominating ‘default gateway’ entry in routing tables, while carrying out network attacks.

Automatic link detection and interface switching, if a payload enables both RNDIS and ECM network

SSH server is running by default, so P4wnP1 could be connected on 172.16.0.1 (as long as the payload enables RNDIS, CDC ECM or both) or on 172.24.0.1 via WiFi

if both, WiFi client mode and WiFi Access Point mode, are enable – P4wnP1 fails over to open an Access Point in case the target WiFi isn’t reachable (Pi Zero W only)

Advanced payload features:

bash payloads based on callbacks (see template.txt payload for details)

onNetworkUp (when target host gets network link active)

onTargetGotIP (if the target received an IP, the IP could be accessed from the payload script)

onKeyboardUp (when keyboard driver installation on target has finished and keyboard is usable)

onLogin (when a user logs in to P4wnP1 via SSH)

configuration can be done globally (setup.cfg) or overwritten per payload (if the same parameter is defined in the payload script)

settings include:

USB config (Vendor ID, Product ID, device types to enable …)

WiFi config (SSID, password …)

HID keyboard config (target keyboard language etc.)

Network and DHCP config

Payload Selection

These are not the only features! There are a lot more which are discussed in much detail by the author at the official wiki. You can use P4wnP1 to install stuff and gain access to airgapped systems, launch man-in-the-middle attacks and exfiltrate information. Infact, using this tool, the author – @mame82 also found a vulnerability in Oracle Java installations! You now must be wondering why is there a need for P4wnP1, when Rubber Ducky already exists? These are the reasons I found most appealing:

You have an ability to handle Ducky Script‘s embedded in a bash-like payload.

You also have the ability to run native keyboard payloads when an event such as a key press is triggered.

When installed on a Raspberry Pi Zero W, keyboard attacks can also be fired via WiFi by spawning an access point.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!